Slow DoS makes Quick Progress

Monday, January 9, 2012 @ 03:01 PM gHale

Proof-of-concept code is out that takes a different spin on the slow HTTP denial-of-service (DoS) attack simply by dragging out the process of reading the server’s response — and ultimately overwhelming it.

This new Slow Read attack is now part of the open-source slowhttptest tool, said Sergey Shekyan, senior software engineer with Qualys.

Update Rushed for Hash Collisions
Hash Flaw Allows DoS Attacks
Security Holes Threaten Mobile Phones
SCADA Security Alert: Mobile Workers

Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.

Shekyan’s Slowhttptest attack tool initially gained inspiration from open-source tools Slowloris and OWASP’s Slow HTTP Post. Slowloris keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, while the Slow HTTP POST distributed DoS (DDoS) tool simulates an attack using POST headers with a legitimate “content-length” field that lets the Web server know how much data is arriving. Once the headers go out, the POST message body transmits slowly, thus gridlocking the connection and server resources.

Slow HTTP attacks are gaining in popularity among the bad guys as a way to quietly wage a DoS attack because these exploits are relatively easy to perform, require minimal computing resources, and often are tough to detect until it’s too late.

Organizations that deploy inline load balancers or rate-limiting traffic parameters are typically fairly protected from a full-blown DoS, but not all organizations have such resources to help mitigate a DoS or DDoS.

Shekyan said attackers today are combining old-school, lower-layer SYN Flood DDoS attack methods with the application-layer ones that exploit HTTP traffic. “And the more techniques you combine in an attack, the more effective it is,” he said.

He said his Slow Read attack slows down the HTTP response reading phase by exploiting the design of TCP, which keeps the connection open even if there’s little or no data flowing there. And this attack is harder to detect than the Slow HTTP attack.

“It’s very hard to catch these attacks. If you’re not monitoring your network layer, those requests look the same as your requests from legitimate clients,” he said.

To successfully pull off a Slow Read DoS, the attacker must know the server’s “send” buffer size and craft a smaller “receive” buffer. TCP’s default server buffer size ranges from 65 KB to 129 KB, Shekyan said.

“We need to make the server generate a response that is larger than the send buffer. With reports indicating the Average Web Page Approaches 1MB, that should be fairly easy. Load the main page of the victim’s Web site in your favorite WebKit-based browser like Chrome or Safari and pick the largest resource in Web Inspector,” Shekyan wrote in a proof-of-concept post.

Leave a Reply

You must be logged in to post a comment.